CLAIMS 
We claim: 



1 1 . A method in a network access device comprising: 

2 without proxying, analyzing each of a stream of packets traversing a single 

3 connection through the network access device from an external host to a 

4 protected host; 

5 forwarding each allowed packet of the stream of packets as long as the connection is 

6 active; and 

7 if one of the stream of packets is determined to be disallowed by said analyzing, then 

8 discarding the disallowed packet and terminating the connection, causing the 

9 protected host to discard those packets received on the terminated connection. 

1 2. The method of claim 1 wherein analyzing each of the stream of packets comprises 

2 inspecting a header of each of the stream of packets against a packet filter. 

1 3. The method of claim 1 wherein analyzing each of the stream of packets comprises 

2 inspecting a payload of each of the stream of packets for disallowed content. 

1 4. The method of claim 3 wherein inspecting the payload of each of the stream of 

2 packets comprises copying the payload, analyzing the payload, and discarding the 

3 corresponding packet if the payload is threatening. 

1 5. The method of claim 1 further comprising: 

2 copying a payload from each of a plurality of packets that comprise a file, the stream 

3 of packets including the plurality of packets; 

4 forwarding all but the last of the plurality of packets to the protected host; 

5 reassembling the plurality of packets into the file; 

6 analyzing the file; 
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7 if the file is a threatening file then discarding the last packet and terminating the 

8 connection; and 

9 if the file is non-threatening, then forwarding the last packet. 

1 6. A computer implemented method comprising: 

2 copying a packet payload of each of a plurality of packets received on a single 

3 connection between an external host and a protected host that carries a stream 

4 of packets the stream of packets including the plurality of packets; 

5 forwarding all but the last of the plurality of packets to the protected host; 

6 reassembling the copied packet payloads into a file; 

7 analyzing the file to determine if the file is allowed or disallowed; 

8 if the file is allowed, then forwarding the last packet to the protected host; and 

9 if the file is determined to be disallowed, then dropping the last packet and 
10 terminating the connection. 

1 7. The computer implemented method of claim 6 wherein the analyzing the file 

2 comprises performing anti-virus analysis on the file. 

1 8. The computer implemented method of claim 6 further comprising: 

2 analyzing a header of each of the stream of packets; and 

3 if one of the stream of packets is determined to be disallowed, then discarding the 

4 disallowed packet and terminating the connection. 

1 9. The computer implemented method of claim 8 wherein analyzing the header 

2 comprises inspecting addresses indicated in the header against a packet filter. 

1 10. The computer implemented method of claim 6 further comprising: 

2 individually analyzing each of the copied packet payloads; and 
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if one of the copied packet payloads is determined to be threatening, then discarding 
the corresponding packet and terminating the connection. 



1 11. The computer implemented method of claim 10 wherein analyzing each of the copied 

2 packet payloads comprises inspecting each copied packet payload against a list of disallowed 

3 content and determining if each copied packet payload includes threatening script. 

1 12. The computer implemented method of claim 6 further comprising maintaining the 

2 connection while analyzing the file. 

1 13. The computer implemented method of claim 12 wherein maintaining the connection 

2 comprises: 

3 decapsulating the last packet's payload; 

4 fragmenting the last packet's payload into subparts; 

5 encapsulating each subpart; and 

6 forwarding each subpart until analysis is complete. 

1 14. The computer implemented method of claim 12 wherein maintaining the connection 

2 comprises: 

3 copying each of the plurality of packets but the last packet before forwarding each of 

4 the plurality of packets; and 

5 holding the last packet and repeatedly forwarding the last copied packet. 

1 15. The computer implemented method of claim 12 wherein maintaining the connection 

2 comprises increasing transmission latency of each acknowledgement transmitted from the 

3 protected host to the external host until the analysis is complete. 
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1 16. The computer implemented method of claim 6 wherein forwarding each of the 

2 plurality of packets comprises transmitting a message indicating that each of the of the 

3 plurality of packets is allowed. 

1 17. A computer implemented method comprising: 

2 supporting a connection from an external host to a protected host; 

3 analyzing a header of each packet received over the connection from the external 

4 host; 

5 terminating the connection if a first packet received over the connection is determined 

6 to be disallowed and discarding the first packet; 

7 if the connection is not terminated, copying the first packet's payload; 

8 analyzing the first packet's payload; 

9 terminating the connection if said first packet's payload is determined to be 

10 disallowed and discarding the first packet; 

1 1 if the connection has not been terminated and if said first packet's payload is not a last 

12 block of a file, then forwarding said first packet to the protected host; 

13 if said first packet's payload is the last block of a file, then reassembling the first 

14 packet's payload with a set of one or more previously copied packet payloads 

15 into the file; 

16 analyzing the file to determine if the file is allowed or disallowed; 

17 if the file is disallowed then dropping the first packet and terminating the connection; 

18 and 

19 if the file is allowed then forwarding the first packet. 

1 18. The computer implemented method of claim 17 further comprising maintaining the 

2 connection while analyzing the file. 

1 19. The computer implemented method of claim 1 8 wherein maintaining the connection 

2 comprises: 
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3 decapsulating the last packet's payload; 

4 fragmenting the last packet's payload into subparts; 

5 encapsulating each subpart; and 

6 forwarding each subpart until analysis is complete. 

1 20. The computer implemented method of claim 18 wherein maintaining the connection 

2 comprises: 

3 copying each of the plurality of packets but the last packet before forwarding each of 

4 the plurality of packets; and 

5 holding the last packet and repeatedly forwarding the last copied packet. 

1 21. The computer implemented method of claim 1 8 wherein maintaining the connection 

2 comprises increasing transmission latency of each acknowledgement transmitted from the 

3 protected host to the external host until the analysis is complete. 

1 22. The computer implemented method of claim 6 wherein the analyzing the file 

2 comprises performing anti-virus analysis on the file. 

1 23. The computer implemented method of claim 8 wherein analyzing the header 

2 comprises inspecting addresses indicated in the header against a packet filter. 

1 24. The computer implemented method of claim 10 wherein analyzing each of the copied 

2 packet payloads comprises inspecting each copied packet payload against a list of disallowed 

3 content and determining if each copied packet payload includes threatening script. 

1 25. An apparatus comprising: 

2 a forwarding module to forward packets of a datastream along a connection between a 

3 protected host and an external host; and 
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4 



a datastream analysis module coupled with the forwarding module, the datastream 



5 



analysis module to analyze each of the packets to determine if each of the 



6 



packets are allowed or disallowed and to terminate the connection upon 



7 



determining one of the packets to be disallowed and to discard the disallowed 



8 



packet, causing the protected host to discard packets received on the 



9 



terminated connection prior to the disallowed packet. 



1 26. The apparatus of claim 25 further comprising a memory to store each of the packets 

2 until forwarded or discarded. 

1 27. The apparatus of claim 25 further comprising a memory coupled with the datastream 

2 analysis module, the memory to store copies of each of the packets' payloads. 

1 28. A machine-readable medium that provides instructions, which when executed by a set 

2 of one or more processors, cause said set of processors to perform operations comprising: 

3 without proxying, analyzing each of a stream of packets traversing a single 

4 connection through the network access device from an external host to a 

5 protected host; 

6 forwarding each allowed packet of the stream of packets as long as the connection is 

7 active; and 

8 if one of the stream of packets is determined to be disallowed by said analyzing, then 

9 discarding the disallowed packet and terminating the connection, causing the 
10 protected host to discard those packets received on the terminated connection. 

1 29. The machine-readable medium of claim 28 wherein analyzing each of the stream of 

2 packets comprises inspecting a header of each of the stream of packets against a packet filter. 
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1 30. The machine-readable medium of claim 28 wherein analyzing each of the stream of 

2 packets comprises inspecting a payload of each of the stream of packets for disallowed 

3 content. 

1 31. The machine-readable medium of claim 30 wherein inspecting the payload of each of 

2 the stream of packets comprises copying the payload, analyzing the payload, and discarding 

3 the corresponding packet if the payload is threatening. 

1 32. The machine-readable medium of claim 28 further comprising: 

2 copying a payload from each of a plurality of packets that comprise a file, the stream 

3 of packets including the plurality of packets; 

4 forwarding all but the last of the plurality of packets to the protected host; 

5 reassembling the plurality of packets into the file; 

6 analyzing the file; 

7 if the file is a threatening file then discarding the last packet and terminating the 

8 connection; and 

9 if the file is non-threatening, then forwarding the last packet. 

1 33. A machine-readable medium that provides instructions, which when executed by a set 

2 of one or more processors, cause said set of processors to perform operations comprising: 

3 copying a packet payload of each of a plurality of packets received on a single 

4 connection between an external host and a protected host that carries a stream 

5 of packets the stream of packets including the plurality of packets; 

6 forwarding all but the last of the plurality of packets to the protected host; 

7 reassembling the copied packet payloads into a file; 

8 analyzing the file to determine if the file is allowed or disallowed; 

9 if the file is allowed, then forwarding the last packet to the protected host; and 

10 if the file is determined to be disallowed, then dropping the last packet and 

1 1 terminating the connection. 
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34. The machine-readable medium of claim 33 wherein the analyzing the file comprises 
performing anti-virus analysis on the file. 



1 35. The machine-readable medium of claim 33 further comprising: 

2 analyzing a header of each of the stream of packets; and 

3 if one of the stream of packets is determined to be disallowed, then discarding the 

4 disallowed packet and terminating the connection. 

1 36. The machine-readable medium of claim 35 wherein analyzing the header comprises 

2 inspecting addresses indicated in the header against a packet filter. 

1 37. The machine-readable medium of claim 33 further comprising: 

2 individually analyzing each of the copied packet payloads; and 

3 if one of the copied packet payloads is determined to be threatening, then discarding 

4 the corresponding packet and terminating the connection. 

1 38. The machine-readable medium of claim 37 wherein analyzing each of the copied 

2 packet payloads comprises inspecting each copied packet payload against a list of disallowed 

3 content and determining if each copied packet payload includes threatening script. 

1 39. The machine-readable medium of claim 33 further comprising maintaining the 

2 connection while analyzing the file. 

1 40. The machine-readable medium of claim 39 wherein maintaining the connection 

2 comprises: 

3 decapsulating the last packers payload; 

4 fragmenting the last packet's payload into subparts; 

5 encapsulating each subpart; and 
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6 forwarding each subpart until analysis is complete. 

1 41. The machine-readable medium of claim 39 wherein maintaining the connection 

2 comprises: 

3 copying each of the plurality of packets but the last packet before forwarding each of 

4 the plurality of packets; and 

5 holding the last packet and repeatedly forwarding the last copied packet. 

1 42. The machine-readable medium of claim 39 wherein maintaining the connection 

2 comprises increasing transmission latency of each acknowledgement transmitted from the 

3 protected host to the external host until the analysis is complete. 

1 43. The machine-readable medium of claim 33 wherein forwarding each of the plurality 

2 of packets comprises transmitting a message indicating that each of the of the plurality of 

3 packets is allowed. 

1 44. A machine-readable medium that provides instructions, which when executed by a set 

2 of one or more processors, cause said set of processors to perform operations comprising: 

3 supporting a connection from an external host to a protected host; 

4 analyzing a header of each packet received over the connection from the external 

5 host; 

6 terminating the connection if a first packet received over the connection is determined 

7 to be disallowed and discarding the first packet; 

8 if the connection is not terminated, copying the first packet's payload; 

9 analyzing the first packet's payload; 

10 terminating the connection if said first packet's payload is determined to be 

1 1 disallowed and discarding the first packet; 

12 if the connection has not been terminated and if said first packet's payload is not a last 

13 block of a file, then forwarding said first packet to the protected host; 
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14 if said first packet's payload is the last block of a file, then reassembling the first 

15 packet's payload with a set of one or more previously copied packet payloads 

16 into the file; 

17 analyzing the file to determine if the file is allowed or disallowed; 

18 if the file is disallowed then dropping the first packet and terminating the connection; 

19 and 

20 if the file is allowed then forwarding the first packet. 

1 45. The machine-readable medium of claim 44 further comprising maintaining the 

2 connection while analyzing the file. 

1 46. The machine-readable medium of claim 45 wherein maintaining the connection 

2 comprises: 

3 decapsulating the last packet's payload; 

4 fragmenting the last packet's payload into subparts; 

5 encapsulating each subpart; and 

6 forwarding each subpart until analysis is complete. 

1 47. The machine-readable medium of claim 45 wherein maintaining the connection 

2 comprises: 

3 copying each of the plurality of packets but the last packet before forwarding each of 

4 the plurality of packets; and 

5 holding the last packet and repeatedly forwarding the last copied packet. 

1 48. The machine-readable medium of claim 45 wherein maintaining the connection 

2 comprises increasing transmission latency of each acknowledgement transmitted from the 

3 protected host to the external host until the analysis is complete. 
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1 49. The machine-readable medium of claim 33 wherein the analyzing the file comprises 

2 performing anti-virus analysis on the file. 

1 50. The machine-readable medium of claim 35 wherein analyzing the header comprises 

2 inspecting addresses indicated in the header against a packet filter. 

1 51. The machine-readable medium of claim 37 wherein analyzing each of the copied 

2 packet payloads comprises inspecting each copied packet payload against a list of disallowed 

3 content and determining if each copied packet payload includes threatening script. 

1 
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